Never Block Addresses - Sensor IP

Ok, finally convinced the boss to buy a 4240 and I am setting it up....
As far as Never Block IP's are concerned, is it profitable to use the Sensor IP since it uses that IP as the Source Address?
What I mean is..say this is your setup
INET --> PIX --> Router
Besides using the PIX as a blocking device I am also using the Router as it connects to some other networks and VPN Devices. I have an Inbound ACL that I am using as a PostBlock ACL. This ACL blocks spoofing. But, when the sensor logs into the router and reconfigures the ACLs (per host manual block), the sensor IP is permitted first and this undos some of the Antispoofing ACEs in the Postshun ACL as if on the chance the Sensors IP was used in a spoofing attack, it would be given a free pass into the network.
BTW, I do have uRPF and other Antispoofing measures setup on the PIX, but I am a big fan of layered security and don't want to comprimise our Network.

As far as never block addresses is concerned, my view is that you shouldn’t block you own range as you could create a denial of service on yourself.
With regards to using the router as a blocking device you need to move your anti spoofing ACL from the outside I/F as the sensor needs to use this exclusively to dynamically create ACL’s I suggest you move it to the inside I/F and change the direction i.e. instead of inbound change to outbound.
If you have a Pix you could also consider using the Pix as the shunning device and leave your anti-spoofing ACL on the transit router, unless your transit router is quick performance wise the Pix will probably be a better option.
I hope this helps
Regards Mark

Similar Messages

  • IPS MC Never Block Masks IDS4 vs. IPS5

    Using the IPS Management Center 2.1 I can create a never block entry 9.xxx.0.0/255.255.128.0 for an IDS4 sensor, but when I do this with an IPS5 sensor (both IDSM-2s) I get the error message: Error
    Object update failed. Validation exception during object update.Netmask is invalid for the given IP address
    Of course I can create the entry for a version 4 sensor and use the copy wizard to copy it to the version 5 sensor and that works as long as one doesn't edit the entry, but it is a pain. Maybe you can fix this in the next release.

    I have not used the IPS MC 2.1.
    But I do know that the format in the IPS 5.0 CLI and IDM has changed from version 4.1 and 5.0.
    In version 4.1 the netmask used 255.255.128.0 format. In version 5.0 the format changed to specifying the number of digits used for the network /17.
    You might check to see if IPS MC is now expecting the /17 format when configuring 5.0 sensors.

  • IPS 5.1(3) never-block-networks not working

    Our Cisco IDS 4200 appliances have been converted from 4.1(x) to 5.1(3) with latest signature S252. I'm going through fine-tuning and enabling countermeasures step-by-step. One thing I noticed is that even though a never-block-host for our /19 CIDR is configured the IPS is still blocking IP's within that range. Am I correct in understanding the behavior of never-block-network with IPS 5.1(3) meaning never ever block, right? I'll try breaking it down into /24 since maybe it doesn't like /19.

    Something else you may want to consider as a workaround.
    Instead of solely relying on the NeverBlock list, you can also create event-action-filters in 5.1(3) that can remove the "request-block-host" and "request-block-connection" event actions.
    In 4.1 the filters would remove the entire alert and all actions for the alert.
    So if you tried to use filters to prevent the Blocks it would also keep you from seeing the alert in your alert viewer.
    But in 5.0/5.1 you can now independantly remove actions from the event.
    So you can create a filter for all signatures where the attacker address is the addresses you never want blocked, and remove the request-block-host and request-block-connection actions.
    This way when the sensorApp/AnalysisEngine service triggers an event for the attack it will not even send the block request to the network access controller service, but will still go ahead and do the rest of the event actions that were configured on the signature.
    There is also no a specific action in order to get an event to actually create an alert for viewing. This is event-action is "produce-alert".
    So if the "produce-alert" and "request-block-host" event actions were both configured on the signature, then the filter can remove the "request-block-host" event action and still allow the "produce-alert" event action to happen.

  • The IO operation at logical block address # for Disk # was retried

    Hello everyone,
    A warning appears in the system log:
    ===
    Log Name:      System
    Source:        disk
    Date:          2/20/2013 1:00:28 PM
    Event ID:      153
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      STRANGE.aqa.com.ru
    Description:
    The IO operation at logical block address af7ff for Disk 7 was retried.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="disk" />
        <EventID Qualifiers="32772">153</EventID>
        <Level>3</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2013-02-20T09:00:28.199176700Z" />
        <EventRecordID>12669</EventRecordID>
        <Channel>System</Channel>
        <Computer>STRANGE.aqa.com.ru</Computer>
        <Security />
      </System>
      <EventData>
        <Data>\Device\Harddisk7\DR142</Data>
        <Data>af7ff</Data>
        <Data>7</Data>
        <Binary>0F01040003002C00000000009900048000000000000000000000000000000000000000000000000000020828</Binary>
      </EventData>
    </Event>
    ===
    This warning occurred in several seconds after the Windows Server Backup start. Our backup job finishes successfully. That server is in provisioning without a heavy workload, and we have not experienced any problem yet. But we do not want to face any problems
    due to this error in the production environment.
    All disks of the server are managed by the LSI MegaRAID controller, which doesn’t report any errors in the disk system.
    it is Windows Server 2012 with the latest updates.

    Wow, I have been having the exact same problems with Server 2012 WSB.  I thought I had it resolved but it started acting up again.  I tried 3 different external hard drives thinking they may be the problem.   The raid array also seems fine,
    it is not giving me any errors, no amber lights.
    If I run a backup system state + hyper-v it would fail 9/10 of the time on the host component.  I have posted every where and cannot find anything.   These are the event during any backup I run.  
    Source: Disk
    Event ID: 153
    The IO operation at logical block address 10a58027 for Disk 5 was retried.
    Source: VOLSNAP
    Event ID: 25
    The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time.  Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
    Source: Filter Manager
    Event ID: 3
    Filter Manager failed to attach to volume '\Device\HarddiskVolume109'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xC03A001C.
    Source:  VOLSNAP
    Event ID: 27
    The shadow copies of volume \\?\Volume{a21d0bb7-7147-11e2-93ed-842b2b0982fe} were aborted during detection because a critical control file could not be opened.
    Source:  VHDMP
    Event ID: 129
    Reset to device, \Device\RaidPort4, was issued.
    Source:  VOLSNAP
    Event ID: 25
    The shadow copies of volume G: were deleted because the shadow copy storage could not grow in time.  Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
    Windows backup gives me various errors for what did not backup.  Mainly this one:
    Error in backup of C:\ during enumerate: Error [0x80070003] The system cannot find the path specified.
    Application backup
    Writer Id: {66841CD4-6DED-4F4B-8F17-FD23F8DDC3DE}
       Component: Host Component
       Caption     : Host Component
       Logical Path: 
       Error           : 8078010D
       Error Message   : Enumeration of the files failed.
       Detailed Error  : 80070003
       Detailed Error Message : (null)
    Not just the host component, sometimes the entire C: ...
    So no one has any recommendations on fixing this?
    Is any one running dell AppAssure?  I have two servers backing up to this server with dell AppAssure.  Then I am using WSB to backup the this machines OS and 1 windows 7 VM.  

  • The I operation at logical block address 0x747b49c0 for Disk 0 was retried

    The IO operation at logical block address 0x747b49c0 for Disk 0 was retried

    nasir-ahmad wrote:
    The IO operation at logical block address 0x747b49c0 for Disk 0 was retried
    Sounds like a bad hard drive but since we have no idea what computer this si coming form your asking us to find a needle in haystack question.
    I am a Volunteer to help others on here-not a HP employee.
    Replies aren't online 24/7 because of Time Zone differences.
    Remember in this Day and Age of Computing the Internet is Knowledge at your fingertips if you choose understand it. -2015-

  • I linux inode which contains 13 member array wich stores the actual block address of data .Similarly in windows how data is managed in disk ?. How many members in this array ?

    I linux inode which contains 13 member array wich stores the actual block address of data .Similarly in windows how data is managed in disk ?. How many members in this array ?

    Hello Vijay Nerkar,
    Your question is not related to Windows Forms General. What is the data you mean and also what is that array?
    If you are looking for something related to Windows File System, see some words here:
    http://en.wikipedia.org/wiki/File_system
    For example
    "Windows makes use of the
    FAT, NTFS,
    exFAT and ReFS file systems (the last of these is only supported and usable in
    Windows Server 2012; Windows cannot boot from it).
    Windows uses a drive letter abstraction at the user level to distinguish one disk or partition from another. For example, the
    path <tt>C:\WINDOWS</tt> represents a directory <tt>WINDOWS</tt> on the partition represented by the letter C. Drive C: is most commonly used for the primary hard disk partition, on which Windows is usually installed and from which it boots. This "tradition"
    has become so firmly ingrained that bugs exist in many applications which make assumptions that the drive that the operating system is installed on is C. The use of drive letters, and the tradition of using "C" as the drive letter for the primary hard disk
    partition, can be traced to
    MS-DOS, where the letters A and B were reserved for up to two floppy disk drives. This in turn derived from
    CP/M in the 1970s, and ultimately from IBM's
    CP/CMS of 1967.
    For more details, consider consult on MS Answers:
    http://answers.microsoft.com/en-us/windows
    Regards,
    Barry Wang
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Firewall To Block Address

    hey guys,
    I am having trouble setting up the firewall in 10.4.11... I already have a hardware firewall in place but would like to easily be able to block certain addresses from the server.
    I have been reading on the latest manual for 10.4 Network Services (http://manuals.info.apple.com/en/NetworkServicesv10.4.pdf) on Page 142. It talks about blocking IPs and the part that confuses me is where it mentions "The General Tab". I can't see that anywhere on my screen.
    I am running the new 10.4.11 Server Admin Tools. I also totally started from fresh with the firewall in /etc/ipfilter by cleaning out all the non-default files.
    Basically I setup the Any field to a bare minimum of services. Then I added a local 10.0.1.0/24 Address group giving access to File sharing etc... But when I make a "block" group with external addresses, with nothing ticked in services. I am still able to login to all services from that remote machine.
    Do I need to reorder the Any/Block/ fields? How do I do that.
    Any help would be great!
    Many thanks,
    Tommy in London.

    hey guys,
    just wanted to close this question.
    after pulling hair out i stumbled upon an updated firewall page at http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c4ns11.html
    i found that blocking an address is done now through the advance tab of firewall services' settings. its really easy. just set it too deny and the address you want.
    hope that helps others.
    cheers,
    tommy.

  • HT5625 Trying to restore access to valid Apple ID via 'Forgot your password' link.  Email authentication never reaches address. Any ideas?

    I am trying to restore access to another Apple ID via the ‘Forgot your password’ link.   I enter the e-mail address as an apple ID and click ‘Next’.  This offers 2 options:
    1) Email authentication: To access your information, we will send an email to the address(es) on file for you.
    2) Answer security questions: To access your information, you will need to answer the security question(s) provided when you originally created your Apple ID.
    Selecting the first option, the message ‘Email has been sent’ is displayed.  However, no email is ever received at the address entered.  I have tried this numerous times.
    Selecting the second option offers the prompt ‘Please verify your birth date to continue.’  I enter the date of birth and am presented with the message ‘The authentication information provided does not match our records. Please verify your personal information and try again’.
    Catch 22 - can anyone help me, as this seems an impossible situation for me to rectify?

    I had a similar problem. I had to call Apple support via phone and ask what apple ids my email was associated with. He was able to give me the email server it was associated with (ex: yahoo, gmail, hotmail, etc) and that sparked off the memory I needed to recall that ancient and unused apple id. Then I had to recover the password, log in to that old id and change the primary email address.
    As for no verification email sent, there is a major lag between changing your settings and them actually changing in Apple's system. I don't know why this is. I couldn't delete a secondary email no matter what I tried. Then 4 hours later, it finally let me do it.
    hope this helped a litte, good luck!

  • Website blocked by filter, never blocked my websites before.

    the website i go onto on an hourly basis suddeny become blocked by filter, and i have no idea how to unblock the site

    What error message are you getting?

  • Logical Block Addressing (LBA)

    I have been having dual-boot issues for the past few years, the problem is...I can never get it to boot both operating systems. One suggestion by SUSE is to enable LBA in the BIOS. The article is here
    My current motherboard is the MSIO K8N Neo Platinum with an AMD64 3400+ chipset. I do not see any options about enabling LBA in my BIOS.

    If you left Bios settings at default there should be LBA enabled anyway. There is a option in the menu where you enable primary and secondary IDE.

  • Tcp Reset question - IPS Sensor 4255

    I have this sensor doing tcp resets, the question I have is if I add a network to the "never block addresses" will the sensor still send tcp resets even though the network is in the never block? if so how do I tell the sensor to not block certain ip addresses..
    Thanks in advance
    Phil

    You can configure sensors to send TCP reset packets to try to reset a network connection between an attacker host and its intended target host. In some installations when the interface is operating in promiscuous mode, the sensor may not be able to send the TCP reset packets over the same sensing interface on which the attack was detected. In such cases, you can associate the sensing interface with an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface when it is operating in promiscuous mode, are instead sent out on the associated alternate TCP reset interface.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_guide_chapter09186a008055fc77.html

  • What is the best way to filter an IP from being blocked?

    What is the best way to filter an IP from being blocked by a false positive? Event Action Filter?

    I'll assume you really mean "blocked" as opposed to "denied". You can either create an event action filter and subtract the blocked action, or you can add the address to the "never block" addresses.

  • SMTP IPS block problem

    I setup ID 3110 (suspicious mail attachment)to deny attacker inline thinking that nobody needs to send those type of attachments and it would cut down on virus's. Worked fine until today when someone internal tried to send one and the IPS blocked my internal smtp server from going to the internet. Is there a way of setting up execptions in the IPS so that my internal IP range is allways allowed access? Or is there a better way of doing this?
    Thanks for the help.

    We've seen false positives with that signature, but YMMV...they've modified it recently so maybe it's fixed.
    anyway, to answer your question...there are two ways to handle this.
    1) Use an event filter to subtract the action from the alarm. The mail server source ip would part of the criteria in the filter. You might want to consider creating an event variable for your entire DMZ and creating an event filter that subtracts any of the "deny" actions if DMZ=source. See Event Action Rules->Even Action Filters in the IDM.
    2) add the source ip or network to the "never block addresses". See Blocking->Blocking Properties in the IDM. I don't believe this works for actions that are "deny"...you'll need an event filter for those.

  • IDSM-2 - Promiscuous Mode

    I would like my IDSM-2 to run in a Promiscuous Mode ( and not INLINE mode)
    How can i configure it so that it works on the - " Block Nothing,Monitor Everything" principle.
    I need the blade to "Never" block the upstream devices like routers and Firewalls.
    By the way,how will the IDSM running in Promiscuous Mode even "know" of upstream routers and other network devices.
    Thanks !!!

    Hi,
    You can find how to configure IDSM-2 to run promiscuous mode here.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030752
    From there, you can find IOS vs. CatOS configuration as well as SPAN vs. VACL.
    Once that is done, you can find configuration guide here regarding IPS software. I will list both CLI and IDM in case you prefer one over the other...
    CLI -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033699
    IDM -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1031960
    In promiscuous mode, unless you configure blocking with blocking device, it will never block anything by default. Even with blocking, you can configure never-block addresses.
    CLI -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df77.html#wp1031471
    IDM -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804d1374.html#wp1037905
    IDSM will not know about which is what (upstream routers and other network devices) unless you specify them in 'never block' or 'blocking devices'
    Thank you.
    Edward

  • What is the best way to trace an iFS session ?

    Hi, can anyone tell me the best way to capture the sql generated
    by an iFS session ?
    I've tried using the traceLogger classes but can't get much out of them
    ( anyone have sample code for this ? )
    Is the only way by looking in the database in v$sqlarea and using OEM tools
    etc ?

    I'll assume you really mean "blocked" as opposed to "denied". You can either create an event action filter and subtract the blocked action, or you can add the address to the "never block" addresses.

Maybe you are looking for

  • What is BW Front-end and Whats BW Back-end? Technica ? Functional?

    Hi Gurus, Can some one throw light on the diff between a BW Front-end and BW BAck-end? How will u diff the responsibilities of a Functional BW Consultant and Technical BW Consultant? thanks kishore karnati

  • Adobe Photoshop Album Starter 3.2  gives error when plugging in iPhone 3G

    So, I plug my iPhone iunto my laptop... iTunes opens... Adobe Photoshop Album Starter 3.2 starts up to backup/transfer photos... and then I get: Fatal Error Adobe Photoshop Album Starter 3.2 has encountered a problem and needs to close. We are sorry

  • Foreign Currency Valuation - BRS

    Hi Gurus, Please go through the following business process 1. Sales invoice 100 USD @ 45 2. Incoming amount 100 USD @ 50 3. BRS - Transfer amount from incoming account to main account in the 3rd point, the exchange rate maintained in ob08 is 51 and w

  • Multiple fields frm different infotypes and LDB

    hi All, I am using a logical database with all screen elements supressed and only company code active. now i have not used provide and end provide. i want to knw can i still fetch data frm more than 1 infotype in the same statement. I want to fetch s

  • Billing date is past

    Dear SAP People I have created an order on say on 10th April. Item is available on 10th april so i delivered goods on 10th april itself. PGI date is also 10th april. Now i create a bill but automatically it is goes to bill date 10th March. Bill creat